View Rahoul Baruah's profile on LinkedIn Basecamp project management and collaboration

made of stone

The blog of Rahoul Baruah from 3hv Ltd

What's going on?

My name is Rahoul Baruah (aka Baz) and I'm a software developer in Leeds (England).

This is a log of things I've discovered while writing software in Ruby on Rails. In other words, geek stuff.

However, I've decided to put this blog on ice - I would ask you to check out my business blog here (or subscribe here).

30 January, 2006

SQL Server Stored Procedures and Rails

DHH says "it's not the Rails way" but I needed to access our application's stored procedures, so I wrote a module to do it.

This code is Copyright 2006 Rahoul Baruah - and is made available under the terms of the GNU Lesser General Public Licence.

Copy this code into a file named "sql_server.rb" and drop it into your models folder. Then, take one of your actual models, "include SQLServer" - and you have access to these functions that allow you to call SQL Server stored procedures.

Posted on Monday, January 30, 2006

6 comments:

Anonymous said...

unless you do lots of validation on the paramaters, this method could be used to launch an injection attack against the database.
eg
set one of the paramaters to be ';drop table ImportantTable'
the sql then executed is

exec @return_value = exec Myproc ; drop table ImportantTable

and the table ImportantTable is dropped

1:18 pm, January 30, 2006
Baz said...

I've changed it to quote all parameter values - so now it relies on SQL Server to do the right thing (which is pretty doubtful).

1:58 pm, January 30, 2006
Joe Williams said...

Hahahahahahahaha stupid priests

1:22 am, February 12, 2006
Anonymous said...

if youre doing dynamic sql by parameters you deserve any stupid njections you get

5:05 am, August 22, 2006
Baz said...

yes, there's an M in MVC you know

8:18 pm, August 26, 2006
Joshua Brule said...

Thanks alot. Great help

6:37 pm, July 21, 2008

Post a Comment

Subscribe to: Post Comments (Atom)
eXTReMe Tracker